Advisory: ArGoSoft Mail Server Pro 1.8.1.7 DoS

[Stan Bubrouski <stan () ccs neu edu>]

Author: Stan Bubrouski
Date: August 4, 2002
Product: ArGoSoft Mail Server Pro
Versions affected: 1.8.17 (current) and previous
Severity: A malicious user or users could mount a DoS using mail
forwarding and automatic responses to render the adminstrative
console unresponsive and raise CPU usage to 100%.

Problem:  There are coding errors in ArGoSoft Mail Server Pro
which allow for a Denial of Service attack to be initiated against the
mail server by regularwebmail users.  Let me first explain what the
root of the problem is.  If a user configures his/her web account to
forward mail to themselves then sends a message to themselves,
the following will be see on the administrative console:
...
8/4/2002 11:22:42 AM - [    39] Delivering to test
8/4/2002 11:22:42 AM - [    39] Forwarding mail to test
8/4/2002 11:22:43 AM - [    40] Delivering to test
8/4/2002 11:22:43 AM - [    40] Forwarding mail to test
8/4/2002 11:22:44 AM - [    41] Delivering to test
8/4/2002 11:22:44 AM - [    41] Forwarding mail to test
8/4/2002 11:22:44 AM - [    41] Too many Received headers. Mailing loop 
suspected
8/4/2002 11:22:45 AM - [    42] Delivering to test
8/4/2002 11:22:45 AM - [    42] Forwarding mail to test
8/4/2002 11:22:45 AM - [    42] Too many Received headers. Mailing loop 
suspected

Notice how the server after about 20 retries realized there was a
message loop.  This is fine, even if you send a thousand messages
like this, they do tie up the server a bit, but CPU usage does not
go to 100% and the admin console is still responsive.  If someone
was tryign to attack like this, you'd still have the ability to go into
the file menu and hit "Suspend Delivery".  But if you configure you
e-mail like above to forward mail to yourself and you setup an
autoresponse for yourself in the web settings, now there is a problem:

8/4/2002 11:27:22 AM - [    47] Delivering to 2 recipients
8/4/2002 11:27:22 AM - [    47] Forwarding mail to test
8/4/2002 11:27:22 AM - [    47] Sending auto response...
8/4/2002 11:27:22 AM - [    47] Autoresponse from test has been relayed 
to test
8/4/2002 11:27:22 AM - [    48] Delivering to test
8/4/2002 11:27:22 AM - [    47] Forwarding mail to test
8/4/2002 11:27:22 AM - [    48] Forwarding mail to test
8/4/2002 11:27:22 AM - [    47] Sending auto response...
8/4/2002 11:27:22 AM - [    47] Autoresponse not sent, because it has 
been recently sent to test
8/4/2002 11:27:22 AM - [    48] Sending auto response...
8/4/2002 11:27:22 AM - [    48] Message seems to be autoresponse itself. 
Will ignore to avoid loops
...
8/4/2002 11:28:37 AM - [   133] Message seems to be autoresponse itself. 
Will ignore to avoid loops
8/4/2002 11:28:38 AM - [   134] Delivering to test
8/4/2002 11:28:38 AM - [   134] Forwarding mail to test
8/4/2002 11:28:38 AM - [   134] Sending auto response...
8/4/2002 11:28:38 AM - [   134] Autoresponse from test has been relayed 
to test
8/4/2002 11:28:38 AM - [   135] Delivering to test
8/4/2002 11:28:38 AM - [   135] Forwarding mail to test
8/4/2002 11:28:38 AM - [   135] Sending auto response...
<turned off server to avoid problems>
8/4/2002 11:28:39 AM - Web server stopped
8/4/2002 11:28:39 AM - Finger server stopped
8/4/2002 11:28:39 AM - POP3 server stopped
8/4/2002 11:28:39 AM - SMTP server stopped

This goes on and on and on... and this is just one message sent by
user 'test' to user 'test' cc'ed to user 'test' with autoresponses turned
on.  Notice it no longer realizes the limit on forwarding the message.
And what worse is that in the <install dir>/_outbox it keeps creating
new queue files for the same e-mail.  Essentially the loop has the
side affect of creating many files in the outbox, and the number
continue to increase over time.  Using a single message, as far as
I know will not create a DoS attack, but you can automate the
sending of message through the webmail very easily, and thus you
can do as I did in my testing and create a program to send
thousands of these mails.   What then happens is because the server
does not know to stop trying to deliver each e-mail it keeps
trying, clinging to 100% CPU and rendering the admin console
unresponsive.  It will also begin to fill the outbox with thousands
and thousands of messages which continues to slowly increase
over time.  Clearly there is a problem in how it handles message
loops after autoresponse is turned on.  It seems to detect that
the autoresponses are looping but forgets that the messages may
be looping as well.  It seems to be a logic error somewhere in
the server code.

Just one user doing this may not cause a DoS on all systems.
On my system I had to setup to two users, like such:
users: test and test2
test forwards mail to test1
test1 forwards mail to test
test and test1 have autoresponses turned on.
Sent flurry of messages from test to test, cc'ed to test1

This scenario halts the admin console from responding because
in all cases CPU usage should be stuck at 100%.  You'll seee
text flying down the console but you will have no way of stopping
the deliveries which will continue to go on until you stop the server.

No proof of concept tools are provided, because the vendor has
not been contacted.